Trying to figure out if it is possible to have a custom IAM role where it has contributor to the resources but not the ability to create resources. We need a solution besides automating the IAM roles on a resource, I'd rather just give that role on the resource group and not let the developers be able to create new resources. Maybe I do it with Azure Policy but a role would be better since it's easier to automate.
According to Documentation it says,
By default we use the "Contributor" role that is included into Azure. All subscription resources are accessible to users with the Contributor role.
If you wish to limit the Controller access permissions, you can do so by creating a custom role with a set of permissions required by the Controller
Thanks #JohnC according to SO-thread it says,
Azure supports custom RBAC roles, you can create a custom role with the Microsoft.Resources resource provider operation.
When you are creating the custom role check whether the below azure permission is not included in that custom role as this permission gives the user the right to create a resource group.
If this permission is not included in the custom role then that user will not be able to create a resource group, hence any azure resource will not be deployed.
Microsoft.Resources/subscriptions/resourceGroups/write
References:
Create or update Azure custom roles using the Azure portal - Azure RBAC | Microsoft Docs
Related
I've been given access to a resource group in Azure, but still get 401 page while trying to access it or any resource in that resource group. I have role assigned to me only in a resource group, not subscription (maybe this can be the reason?)
Type of my user: Guest
Role for a resource group: Contributor
Contributor role gives full access, except ability to assign roles to other users.
Also, according to docs
Guests can be added to administrator roles, which grant them full read
and write permissions
What can be the problem?
This is the page I get when trying to access resource group or any of it resource:
Azure Resource Manager sometimes caches configurations and data to improve performance. When you assign roles or remove role assignments, it can take up to 30 minutes for changes to take effect. If you are using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. If you are making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.
Source: Troubleshoot Azure RBAC - Role assignment changes are not being detected
Another option would be to visit the preview portal. Since this is a different website, you will get a new token which reflects the latest state.
I have a client that can only give me full access to one or two resource groups.
I need to deliver some prescripted terraform resources that contain the need for a service principal.
Can you lock an SP to a resource group? The subscription itself is a production subscription so they want to know if you can tie down using role base access just to that group.
Or should I be create a MI account?
Can you lock an SP to a resource group?
You most certainly can. Azure Role-based access control is very granular and you can apply access control at any level (management group, subscription, resource group or even at individual resource).
Please see this for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps.
I have contributor access to a subscription. But i am not able to create Azure Policy and assign it to a particular resource group under the subscription. What is the role i needed to be assigned to if i need to create an Azure Policy and apply it to a subscription or a management group level.
According to my research, many Built-in roles grant permission to Azure Policy resources. The Resource Policy Contributor role includes most Azure Policy operations. Owner has full rights. Both Contributor and Reader can use all read Azure Policy operations, but Contributor can also trigger remediation. For more details, please refer to the document
According to your need, you can try to use Resource Policy Contributor role
Besides, you also can try to create custom role to meet your needs. Azure Policy has several permissions in two Resource Providers : Microsoft.Authorization and Microsoft.PolicyInsights
You will require "Owner" role to create Policy Definitions and Policy Assignments.
Please check this documentation which describes the Owner and Contributor roles and what are the Actions and NotActions for these roles.
I would like to give members of a specific role the ability to create resource groups. Can this be achieved without giving users the co-owner role at the subscription level?
You can grant them contributor rights on the specific Azure subscription, they don't have to be co-owner. This is the least-privilege built-in role available that allows you to create resource groups.
However, you could also create a custom role with only one action:
Microsoft.Resources/subscriptions/resourceGroups/write
Read more here: Custom roles for Azure resources
A user should be able to read a resource group. Not allowing the user to create/delete a resource group.
i. I have created a custom role using json script with the following permissions:
Actions: Microsoft.Resources/subscriptions/resourceGroups/read
NotActions: Microsoft.Resources/subscriptions/resourceGroups/write,
Microsoft.Resources/subscriptions/resourceGroups/delete
ii. Added it using PowerShell cmdlet New-AzureRMRoleDefinition.
But when I assigned this custom role to a user in IAM, user is still able to create/delete a resource group.
Note: I have used RBAC and IAM services of Azure
Go to resource group blade >> IAM >> Add (at the top of the blade).
Select contributor. Select User. you are done.